AWS IAM

Control who can do what in AWS. Users, roles, and permissions.

securityFree Tierintermediate

Free

Cost

No additional charge

5,000

Users/Account

IAM users limit

10,000

Roles/Account

IAM roles limit

6,144

Policy Size

Characters limit

What is IAM?

Manage access to AWS. Create users, assign permissions, control what they can do. Free service. Every AWS account needs it. Security starts here.

Think of it like a building's security system

Users are employees with keycards. Roles are temporary visitor badges. Policies are the rules about which doors each card can open.

Key Features

👥

Users & Groups

Create users. Organize them into groups for easier management.

🎭

Roles

Temporary credentials. For services, apps, and cross-account access.

📜

Policies

JSON documents that define permissions. Allow or deny actions.

🛡️

MFA

Multi-factor authentication. Add security beyond passwords.

🔍

Access Analyzer

Find resources shared externally. Audit your permissions.

🔑

Identity Center

Single sign-on for multiple AWS accounts. Centralized access.

When to Use

Control AWS access (always)
Grant service permissions
Cross-account access
Federated login (SSO)
Temporary credentials
Audit permissions

When Not to Use

App user login → Cognito
Customer identity → Cognito
API keys for apps → Secrets Manager
SSH keys → EC2 Instance Connect
Database passwords → Secrets Manager
Fine-grained app permissions → Verified Permissions

Prerequisites

An AWS account
Understanding of JSON (for policies)
AWS CLI installed (optional)

AWS Console Steps

Open IAM Dashboard

Navigate to IAM in the AWS Console

Secure Root Account

Enable MFA on root user and create an admin IAM user

Create IAM User

Create a user with programmatic and/or console access

Attach Policies

Attach AWS managed policies or create custom policies

Create Roles

Create roles for EC2, Lambda, or cross-account access

Test Access

Use IAM Policy Simulator to test permissions

AWS CLI Quickstart

Create IAM user with AWS CLI

Create an IAM user and attach a policy using the AWS CLI

cli

# Create IAM user
aws iam create-user --user-name developer

# Create access keys
aws iam create-access-key --user-name developer

# Attach a managed policy
aws iam attach-user-policy \
  --user-name developer \
  --policy-arn arn:aws:iam::aws:policy/PowerUserAccess

# Create a role for EC2
aws iam create-role \
  --role-name EC2-S3-Access \
  --assume-role-policy-document file://trust-policy.json

Creates an IAM user with access keys and attaches the PowerUserAccess managed policy.

First Project Ideas

Create an admin user and stop using root
Set up MFA for all users
Create a role for EC2 to access S3
Implement a password policy
Create a cross-account access role

Pro Tips8

Start with zero permissions

security

Grant only what's needed. Use Access Analyzer to generate policies from CloudTrail activity.

Generate policies from Access Analyzer

Don't use AdministratorAccess unless required

Use roles, not access keys

security

Roles provide temporary credentials that auto-rotate. Access keys are permanent secrets that can leak.

Attach IAM roles to EC2, Lambda, ECS

Don't embed access keys in code

Require MFA for all users

security

Use virtual MFA apps or hardware keys. Enforce via policy conditions.

Use hardware keys for root and admins

Don't allow console access without MFA

Add conditions to policies

security

Use aws:MultiFactorAuthPresent, aws:SourceIp, aws:PrincipalOrgID for fine-grained control.

Require MFA for sensitive operations

Don't forget to test conditions

Enable Access Analyzer

security

Finds resources shared externally. Generates least-privilege policies from CloudTrail.

Enable in all regions

Don't ignore Access Analyzer findings

Review credential reports monthly

operational

CSV report shows password age, MFA status, access key age. Essential for audits.

Automate alerts for policy violations

Don't let access keys age beyond 90 days

Know service-linked roles

operational

AWS creates and manages these. You can view but not edit the permissions.

Let AWS manage service-linked roles

Don't try to modify service-linked role policies

Use permission boundaries

security

Set maximum permissions for delegated admin. Prevents privilege escalation.

Apply boundaries when delegating IAM admin

Don't allow unrestricted IAM permissions

Key Facts8

5,000 users per account

Soft limit. Use federation for more identities.

limit

10,000 roles per account

Soft limit. Service-linked roles count too.

limit

Policy size: 6,144 chars (managed)

Inline policies limited to 2,048 chars.

limit

10 groups per user max

Users inherit permissions from all groups.

limit

10 managed policies per entity

Plus 1 inline policy allowed.

limit

2 access keys per user

Enables zero-downtime key rotation.

limit

Role sessions: 1-12 hours

Default 1 hour. Role chaining limited to 1 hour.

limit

5 versions per managed policy

Delete old versions before creating new ones.

limit

AWS Certification Practice4

easysaa-c03scs-c02

What should you do IMMEDIATELY?

easysaa-c03dva-c02

What is the BEST approach?

mediumsaa-c03sap-c02scs-c02

What is the correct configuration?

hardscs-c02sap-c02

Which IAM feature prevents this?

Often Used With

EC2 S3 LAMBDA ORGANIZATIONS SSO SECRETS-MANAGER KMS

Documentation

AWS Documentation Pricing Details AWS Console